b'    TIMELY ACTIONS NEEDED\nTO IMPROVE DOT\'S CYBERSECURITY\n       Department of Transportation\n\n        Report Number: FI-2011-022\n       Date Issued: November 15, 2010\n\n\n\n\n               Prepared by the\n         Office of Inspector General\n     U. S. Department of Transportation\n\x0c                      Memorandum\n           U.S. Department of\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Timely Actions Needed to Improve                                         Date:    November 15, 2010\n           DOT\'s Cybersecurity\n           Department of Transportation\n           Report Number: FI-2011-022\n\n  From:    Calvin L. Scovel III                                                         Reply to\n                                                                                        Attn. of:    JA\xe2\x80\x9320\n           Inspector General\n\n    To:    Chief Information Officer\n\n           In May 2009, the White House reported the need to secure the Federal\n           Government\'s digital infrastructure and its information\xe2\x80\x94vital to the economy and\n           national security\xe2\x80\x94from compromise.1 The Department of Transportation\xe2\x80\x99s\n           (DOT) $3.1 billion annual information technology (IT) portfolio is one of the\n           largest among Federal civilian agencies. DOT\'s IT budget covers over 400\n           information systems across 13 Operating Administrations (OA),2 nearly two-thirds\n           of which belong to the Federal Aviation Administration (FAA). The Department\'s\n           financial systems manage and disburse approximately $90 billion in Federal funds\n           annually.\n\n           To protect the information systems that support Federal operations and assets from\n           cyber threats, the Federal Information Security Management Act (FISMA) of 2002\n           requires agencies to develop, document, and implement agency-wide information\n           security programs. FISMA also requires agency program officials, chief\n           information officers (CIO), and inspectors general to conduct annual reviews of\n           their agencies\' information security programs and report the results to the Office of\n           Management and Budget (OMB).\n\n           Consistent with FISMA and OMB requirements, our overall audit objective was to\n           determine the effectiveness of DOT\xe2\x80\x99s information security program and practices.\n           Specifically, we assessed DOT\xe2\x80\x99s (1) information security policy and procedures;\n           (2) enterprise-level information security controls;3 (3) management of information\n\n           1\n             White House Report on Cyberspace Policy Review, May 2009.\n           2\n             For purposes of reporting under the Federal Information Security Management Act of 2002, we consider "Operating\n              Administrations" to include all components listed in Exhibit B.\n           3\n             For purposes of this report, enterprise-level controls are controls that are expected to be implemented department-\n              wide\xe2\x80\x94security training, incident response and reporting, and configuration management\xe2\x80\x94and are not system-\n              specific.\n\x0c                                                                                                                 2\n\n\nsecurity weaknesses; and (4) system-level security controls. As also required by\nOMB, we provided various assessments and performance measures to OMB via its\nWeb portal.4\n\nWe conducted this audit between March 2010 and October 2010 in accordance\nwith generally accepted government auditing standards. Exhibit A details our\nscope and methodology.\n\n\nRESULTS IN BRIEF\nDuring fiscal year 2010, DOT succeeded in providing security awareness training\nto over 90 percent of its employees, including five OAs that provided this training\nto 100 percent of their employees. Despite these accomplishments, the\nDepartment has not made progress needed to address other critical areas. As a\nresult, DOT\'s information security program does not meet Federal requirements\nand is still not as effective as it should be. In addition, the Department has\nsuccessfully addressed only 2 of the 27 recommendations we made in our last\nreport, issued in November 2009. The following provides details of our findings.\n\n    1. The Office of the Chief Information Officer (OCIO) has not developed the\n       required procedural guidance to augment the high-level security policy it\n       issued in 2009 in order for Operating Administrations (OA) to manage\n       information security effectively. Furthermore, some policy lacks important\n       elements. For example, DOT\'s Chief Information Officer Policy (CIOP)\n       does not address the reporting of contractor operated systems. In\n       September 2010, the OCIO issued a revised plan of action and milestones\n       (POA&M) policy that addressed many of our prior year concerns, but the\n       policy incorrectly prioritizes weakness resolution by providing shorter\n       timeframes for resolving low priority weaknesses than for resolving high\n       ones. These various policy and procedure issues contributed to the other\n       issues we identified.\n\n    2. The Department has not made sufficient progress in implementing\n       enterprise-level controls. For example, DOT is still unable to effectively\n       track how many contractors it has on board, has no controls to confirm that\n       all major security incidents reported to the Department of Homeland\n       Security (DHS) were actually received by DHS, and does not have security\n       baseline configurations for all of its systems.         Furthermore, the\n       Department\'s Common Operating Environment5 (COE) compliance with\n\n\n4\n  OMB has designated this information as \xe2\x80\x9cFor Official Use Only.\xe2\x80\x9d Consequently, our submission to OMB is not\n   contained in this report.\n5\n  The COE provides network infrastructure support to DOT Headquarters and remote offices, except FAA and FMCSA\n   field sites.\n\x0c                                                                                                                    3\n\n\n           Federal Desktop Core Configuration (FDCC) requirements,6 which\n           prescribe secure settings for Windows XP software, actually declined since\n           our last review. Only four OAs reported having tools to verify FDCC\n           compliance. The Department\'s largest OA, FAA, does not use such tools\n           and is unable to determine whether its networks comply with FDCC\n           requirements. Our tests at FAA headquarters revealed numerous instances\n           of FDCC non-compliance without the required documentation to justify the\n           non-compliance.\n\n       3. The Department has not effectively identified, tracked, or prioritized\n          information security weaknesses in its POA&Ms to efficiently resolve these\n          weaknesses. The Department tracked approximately 4,800 weaknesses but\n          did not remediate 1,200 of them (25 percent) within approved timeframes.\n          The Department also did not assign a scheduled completion date to 240\n          weaknesses and an estimated remediation cost to 404 weaknesses.\n\n       4. DOT did not establish adequate controls to protect its systems or to recover\n          them in the event of a disruption. As of the end of fiscal year 2010, the\n          Department had not certified and accredited 41 systems (approximately 10\n          percent of the total number), including several high-impact systems, for\n          operation. Our review of a statistical sample of 33 out of 436 systems\n          found that approximately half had one or more of the following\n          deficiencies: (1) the certification and accreditation did not meet National\n          Institute of Standards and Technology (NIST) standards; (2) the\n          contingency plan testing was insufficient; and/or (3) the required annual\n          testing did not meet NIST standards. The Department also lacked adequate\n          controls over continuous monitoring, oversight of contractor-operated\n          systems, remote access and account management. For example, the\n          Department does not use two-factor authentication to secure remote access\n          to its systems. We also identified network accounts assigned to deceased\n          individuals.\n\nWe are making a series of recommendations to assist the agency in establishing\nand sustaining an effective information security program\xe2\x80\x94one that complies with\nFISMA, OMB, and NIST requirements. Exhibit C identifies recommendations\nfrom our prior year report that the Department still needs to resolve.\n\n\n\n\n6\n    The National Institute of Standards and Technology, the Department of Defense, and the Department of Homeland\n     Security developed security configuration settings for certain Windows operating systems, including XP. OMB\n     mandated agencies to adopt these settings, which are referred to as FDCC requirements.\n\x0c                                                                                                                    4\n\n\nBACKGROUND\nEnsuring a secure global digital information and communications infrastructure is\none of the President\xe2\x80\x99s seven guiding principles in protecting the American people.7\nAs the White House has reported, both the Federal Government and the private\nsector face new cybersecurity threats, including terrorists and international crime\ngroups that target U.S. citizens, commerce, critical infrastructure, and the\nGovernment by attempting to compromise computer-based information.\nUndeterred, these individuals could undermine national security and degrade civil\nliberties.\n\nIn October 2008, we reported that the Department\xe2\x80\x99s information security program\nand practices were not effective.8 Specifically, we found that DOT had not\nestablished adequate policies, procedures, and training to identify weaknesses in\ninformation security and protect computer systems and networks or recover them\nshould an incident occur, including those containing personally identifiable\ninformation (PII). We made 27 specific recommendations aimed at addressing\nthese deficiencies.    To date, DOT has addressed all but one of those\nrecommendations.\n\nIn November 2009, we reported that the Department had issued its information\nsecurity policy\xe2\x80\x94the first step in building a sustainable information security\nprogram\xe2\x80\x94and improved the COE\'s FDCC compliance.9                   However, the\nDepartment had not made sufficient progress in other areas. As a result, the\nDepartment\'s information security program was not as effective as it should be and\ndid not meet all Federal requirements. We made 27 additional recommendations\nfor addressing critical vulnerabilities that would enable DOT to establish a more\nmature information security program. Exhibit C lists these recommendations and\ntheir implementation status.\n\nNew challenges emerged in 2010. Several congressional bills addressed concerns\nover the effectiveness of FISMA and government-wide information security. The\nAdministration\'s interest in cybersecurity resulted in the appointment of a Cyber\nSecurity Czar. OMB addressed criticism from various parties, including the\nGovernment Accountability Office, that its FISMA metrics were not effective by\nestablishing new ones. These new metrics require OIG to assess information\nsecurity in the eight areas required by the previous metrics plus two new areas:\nremote access, and account and identity management. For 2010, OMB did not\nrequest the OIG to report on privacy issues.\n\n\n\n7\n  White House Issues: Homeland Security (www.whitehouse.gov/issues/homeland-security).\n8\n  Audit of Information Security Program, OIG Report FI-2009-003, October 8, 2008. OIG reports and testimonies can\n   be found on our Web site at www.oig.dot.gov.\n9\n  Audit of DOT\'s Information Security Program and Practices, OIG Report FI-2010-023, November 18, 2009.\n\x0c                                                                                                                     5\n\n\nDOT\xe2\x80\x99S INFORMATION SECURITY POLICY AND PROCEDURES\nREMAIN INADEQUATE\n\nFISMA requires each Department\'s Chief Information Officer to develop and\nmaintain information security policies, procedures, and control techniques to\naddress security requirements. In prior reports, we recommended revisions to the\ninformation security policies that direct the security efforts by DOT\'s OAs.10\nHowever, some of these policies remain in the review process, while the\nDepartment has not initiated action on others. Meanwhile, the OAs have either\nlimited or no procedural guidance provided to instruct them on how to effectively\nand consistently implement information security. In Table 1, we note areas that\nthe Department should consider in its development of adequate guidance to OAs.\n\n\nTable 1: Deficiencies in Policy and Procedures\nFISMA Security Program Area                                OIG\'s Evaluation\nCertification and Accreditation (C&A)\nof Controls\nThe assessment of security controls to                     C&A procedures do not sufficiently guide\ndetermine if the controls have been                        agency personnel in effectively managing the\nimplemented effectively.                                   security for the life of the system.\nContinuous Monitoring of Controls\nRequired as part of the security                           Continuous monitoring policy is\nauthorization process for ensuring that                    inappropriately high- level and does not\ncontrols remain effective over time.                       sufficiently guide agency personnel in\n                                                           identifying and documenting the security\n                                                           controls inherited from other systems.\nPlans of Action and Milestones\n(POA&M)\nTracks the measures implemented to                         The revised policy emphasizes correcting low\ncorrect security weaknesses to                             weaknesses in short timeframes while\neliminate vulnerabilities.                                 allowing considerably more time to correct\n                                                           high and moderate weaknesses. No\n                                                           guidance exists for categorizing weaknesses\n                                                           or on the use of the central database for\n                                                           documenting and tracking POA&Ms.\n\n\n\n\n10\n     DOT\'s 13 OAs are referred to in this report by their acronyms. For a list of the OAs and their\' acronyms, see\n     Exhibit B.\n\x0c                                                                                             6\n\n\n\nFISMA Security Program Area               OIG\'s Evaluation\nSecurity Awareness and Specialized Training\nAnnual training required by FISMA for     The policy and procedures are not sufficiently\ngovernment and contractor personnel.      developed to guide OAs in identifying,\n                                          tracking and validating contractors requiring\n                                          annual security training.\nAccount and Identity Management\nControls for managing and monitoring      The departmental procedures are not\nnetwork accounts.                         sufficiently developed to guide OAs in\n                                          establishing controls. For example, guidance\n                                          does not address account naming standards.\n                                          In addition, operating procedures for personal\n                                          identity verification (PIV) cards are not\n                                          complete. For example, these procedures do\n                                          not address termination of PIV cards.\nConfiguration Management\nPolicy and procedures that ensure that    Does not include detailed guidance for\nall system owners have implemented        managing policy requirements. For example,\napproved security control baselines.      little guidance exists on the development of\n                                          inventories of technology products and\n                                          adoption of secure baselines. There are also\n                                          no procedures for documenting and\n                                          approving FDCC deviations.\nContractor Oversight\nMonitoring of the effectiveness of        Neither policy nor procedures contain\nsupport system security provided or       detailed guidance for reporting to OMB on\nmanaged by contractors, or other          contractor-operated systems. The policy also\nagencies or sources.                      does not provide standard contract language\n                                          regarding contractor compliance with Federal\n                                          security requirements.\nRemote Access\nComponents for telework and remote        Policy and procedures on remote access do\naccess, including client devices,         not establish an effective approach to\nservers, and internal resources, should   identifying, monitoring, tracking and validating\nbe secured against known weaknesses,      users and equipment that remotely access\nincluding the lack of physical security   DOT networks and applications.\ncontrols, use of unsecured networks,\nconnections between infected devices\nand internal networks, and the\navailability of internal resources to\nexternal hosts.\nSource: OIG Analysis\n\x0c                                                                                                                            7\n\n\nThe lack of adequate department-wide guidance on addressing security\nrequirements increases the likelihood that OAs will create internal practices and\nad-hoc procedures which may not comply with OMB or DOT requirements.\nFurthermore, the deficiencies in DOT\xe2\x80\x99s information security policies and\nprocedures have contributed to the other weaknesses documented in this report.\n\n\nDOT\'S ENTERPRISE-LEVEL CONTROLS\xe2\x80\x94SECURITY TRAINING,\nINCIDENT REPORTING, AND CONFIGURATION MANAGEMENT\n\xe2\x80\x94ARE INADEQUATE\n\nDOT\'s department-wide controls\xe2\x80\x94those that must be implemented at the\nenterprise level\xe2\x80\x94are still inadequate. Because it cannot track the number of\ncontractors it has employed, DOT does not know how many of its contractors have\nreceived the required security training. Though a significant number of employees\nreceived specialized training, certain key employees did not. The Department has\nnot provided evidence that all security incidents, including those that may have\nbreached sensitive information, were reported to the Department of Homeland\nSecurity. Furthermore, DOT did not demonstrate sufficient progress in its\nmanagement of configuration baselines, including the FDCC baselines for\nWindows XP and Internet Explorer.\n\nDOT Cannot Accurately Track Contractors\' Security Awareness\nTraining\n\nFISMA calls for the building and maintenance of comprehensive security\nawareness training programs which ensure that, before receiving access to agency\ninformation systems, all users11 are adequately trained in their security\nresponsibilities and how to fulfill those responsibilities. DOT policy requires that\nLine of Business and OA CIOs ensure that all DOT information system users\nreceive basic security awareness training before being authorized to access the\nsystem, and at least annual training thereafter, as well as updates on system\nchanges.\n\nHowever, the Department has no system that effectively tracks all contractors\nworking for the Department. For example, the Department\'s Investigative\nTracking System12 (ITS) lists over 54,000 contractors in active status\xe2\x80\x93\xe2\x80\x9341,000\nmore than the Department reported to us as having access to its networks. The\nDepartment\'s Office of the Chief Information Officer (OCIO) and the Director of\n\n11\n     Users may include employees, contractors, foreign or domestic guest researchers, other agency personnel, visitors,\n     guests, and other collaborators or associates requiring access.\n12\n     The Investigative Tracking System is intended to house the social security numbers of current DOT employees and\n     active contractors and other personally identifiable information, including information on passports, visas and home\n     addresses.\n\x0c                                                                                        8\n\n\nSecurity stated that ITS was not created to track active contractors, but rather to\nstore information related to pre-hiring background investigations of both\nemployees and contractors; this information is intended to remain stored as long as\nthe personnel remain employed with the Department. However, the officials\nacknowledged that the Department has no authoritative system to track active\ncontractors and that ITS is the one system that could do this. The Office of\nSecurity also informed us that they have requested that OAs assist them in\nreconciling the numbers in ITS with the actual number of contractors working for\nthe Department. Until this reconciliation occurs, the Department will not have an\nefficient and effective method of providing security awareness training to\ncontractors and tracking those contractors that have completed it.\n\nBecause OAs do not have capabilities for tracking all employed contractors, they\nhave no assurance that all contractors have received security awareness training.\nSome OAs have developed their own methods for determining percentages of\ncontractors that have completed training, but these methods are labor-intensive\nand rely on information from systems that do not contain reliable data. For\nexample, one mode stated that, based upon instruction from the Department, it\nattempted to match contractor names in ITS, despite its known unreliability, with\nthose in COE\'s active directory and with self-assessments of numbers of its\nemployed contractors. As discussed below, however, COE\'s active directory also\nhas reliability issues. Because of the reliability problems in both ITS and the COE\nactive directory, using the two systems to identify active contractors is unlikely to\nproduce reliable data.\n\nWhile ninety-five percent of approximately 58,000 DOT employees received\nsecurity awareness training in fiscal year 2010, over 3,000 employees did not.\nContractor tracking issues along with the incomplete training of employees in\nsecurity awareness represent significant security risks to the Department.\nPersonnel without security awareness training are more likely to become victims\nof social engineering or commit acts that compromise information security.\n\nNot All Department Employees with Significant                             Security\nResponsibilities Receive Required Specialized Training\n\nDOT policy requires OAs to determine the content of specialized security training\nbased on the specific requirements of their organization and the systems that\nemployees and contractors have access to. Specifically, DOT policies require\nOAs to provide personnel that have access to system-level software\xe2\x80\x93\xe2\x80\x93system\nowners and system and network administrators\xe2\x80\x93\xe2\x80\x93with specialized security training\nadequate for performing their duties.\n\nThe Department reported 851 employees with significant security responsibilities.\nAlthough DOT reported that these 851 employees received specialized security\n\x0c                                                                                                                                                        9\n\n\n    training, our analysis, as shown in Table 2, indicates that approximately 61\n    personnel in key security related job categories did not receive the training,13\n    including six OA Chief Information Officers, two modal Information Security\n    Officers, and ten modal Authorizing Officials.\n\n    Table 2: Job Functions and Employees Requiring Specialized\n    Security Training a\n\n\n\n\n                                                                                                                                         Not Reported\n                                                                                                                              Reported\n                                                                   MARAD\n\n\n\n\n                                                                                                 PHMSA\n                                               FMCSA\n\n\n\n\n                                                                           NHTSA\n\n\n\n\n                                                                                                                SLSDC\n                                        FHWA\n\n\n\n\n                                                                                         OST b\n\n\n\n                                                                                                         RITA\n                                 FAA\n\n\n\n\n                                                       FRA\n\n\n\n\n                                                                                                                        STB\n                                                             FTA\n\n\n\n\n                                                                                   OIG\n    Categories\n    Chief Information\n                                  7     1      0       0     1     0       1       1      2      0       0      0       1     14         6\n    Officer\n\n    IT Security Officer          56     2      1       5     3     0       1       1      1      0       4      1       1     76         2\n\n    System\n                                  2    84      0       0     1     0       37      12     0      1       0      0       0     137        7\n    Administrator\n\n    System Designer/\n                                100 82         0       0     7     0       0       3      0      17      0      0       0     209        8\n    Developer\n\n    Network\n                                  4     0      0       0     0     0       1       0      2      1       0      0       0      8         9\n    Administrator\n\n    Database\n                                  4     3      0       0     3     0       1       1      0      3       0      0       0     15         7\n    Administrator\n\n    Certification\n                                  0    14      0       0     0     0       1       0      0      0       0      0       0     15         11\n    Reviewer\n\n    Authorizing Official\n                                  0     1      0       0     0     0       1       0      0      0       0      0       0      2         11\n    (AO)\n\n    Other                       169 36         9       5     58    18      36      0     10      29      4      1       0     375 N/A\n\n\n               Total            342 223 10             10    73    18      79      18    15      51      8      2       2     851 61\n\n    Source: OIG Analysis\na\n    See Exhibit B for full Operating Administration names.\nb\n    OST identified 15 personnel that received specialized security training and were included in the total, but\n    we found that 12 of these 15 reported that the NSA security briefing was considered specialized training. It\n    is our opinion, however, that this briefing does not comply with NIST.\n\n\n\n    As we noted in last year\'s review, DOT policy does not identify specific job\n    functions, such as the CIO, Information Security Officer, and Database\n\n    13\n         Our scope was limited to 8 job categories.\n\x0c                                                                                                                    10\n\n\nAdministrator, that require specialized security training, As a result, the\nDepartment is at risk of not appropriately securing its information systems.\nFurthermore, without specialized security training, Department employees may\nnot develop the skill sets needed to perform their security responsibilities.\n\n\nThe Department\'s Reporting Process Does Not Ensure that All\nSecurity Incidents Are Actually Reported to the Department of\nHomeland Security\n\nOMB policy requires that each security incident be reported to the Department of\nHomeland Security\'s U. S. Computer Emergency Readiness Team (US-CERT).\nAccording to DOT, when an incident occurs, the OA reports it to DOT\'s Cyber\nSecurity Management Center (CSMC), which analyzes the report, categorizes the\nincident by type, and reports each incident to US-CERT. Subsequently, US-CERT\ngenerates a reference number for certain reported incidents. However, we found\nthat, of 2,859 incidents reported to US-CERT by DOT between July 1, 2009 and\nAugust 15, 2010, 129 (4.5 percent) did not have a US-CERT reference number\n(see Table 3) or other evidence to ensure receipt. We also found that 248 (8.7\npercent) did not have corresponding US-CERT Report Dates.\n\n\n        Table 3: Summary of Incidents Missing US-CERT\n        Reference Numbers\n                                                                         Incidents\n                                                                          Missing\n                                                                                            Percentage\n                                                                         Reference\n        US-CERT Categorya                                                Numbers\n        Category 1: Unauthorized Access (e.g., PII\n                                                                              18                  14\n        breach)\n        Category 2: Denial of Service (DOS)                                     0                   0\n        Category 3: Malicious Code                                            99                  77\n        Category 4: Improper Usage                                            11                    9\n        Category 5: Scans/Probes/Attempted Access                               1                   1\n        Total Security Incidents                                             129                 100b\n        Source: OIG Anal ysis\n    a\n      U S - CE RT Ca te go r y 0 ( E x er ci s e /T es t) a nd Cat e go r y 6 ( U nco n f ir me d I n cid e n ts)\n      we r e no t i n o ur a n al ys i s b eca u se t he y ar e no t r e q ui r ed to b e r ep o r t ed to US -\n      CE RT .\n    b\n      T o tal s ma y no t ad d d ue to r o u nd i n g\n\n\n\nWithout a US-CERT reference number or an approved process to verify DHS\nreceived the incidents, DOT cannot determine whether or not the DHS received\n\x0c                                                                                                             11\n\n\nthe reports, undermining the Government\xe2\x80\x99s ability to properly coordinate among\nFederal agencies in order to defend against cyber attacks.\n\nThe Department Has Not Fully Met Configuration Standards\n\nFISMA requires compliance with minimally acceptable system configuration\nrequirements for commercial software.             Configurations that meet these\nrequirements provide a baseline level of security and ensure the efficient use of\nresources. Earlier in the year, we found that the Department\'s American Recovery\nand Reinvestment Act (ARRA) websites had significant vulnerabilities resulting\nfrom incorrect configurations.14 More recently, we found configuration\ndeficiencies in FDCC compliance, and the absence of a full implementation of\nconfiguration baselines throughout the Department.              Without complete\nimplementation of configuration standards, the Department has little assurance\nthat it is sufficiently protecting its information systems from known, exploitable\nsoftware weaknesses. Inadequately configured software also increases security\nvulnerabilities that could impact DOT\xe2\x80\x99s mission and business operations.\n\nOperating Administrations Are Not in Compliance with Federal Desktop Core\nConfiguration Requirements\n\nOMB requires agencies that have deployed certain software, such as the Windows\nXP operating system, to adopt NIST security configurations settings known as the\nFDCC requirements. OMB also requires that departments meet all NIST\nconfiguration settings in order for them to be 100 percent compliant. We\nstatistically sampled 63 employees that use Government-provided computers from\n7,756 personnel in the Washington area. Based on this sample, we estimate that\nthe number of employees with FDCC compliant computers is somewhere between\n0 and 283 out of the 7,756.15 In addition, all 14 individuals from one FMCSA\nfield site were selected based on geographical location and their Government-\nprovided computers were representative of FMCSA field sites throughout the US.\nThese remote computers were only 82 percent compliant for Windows XP and 70\npercent for Internet Explorer. In aggregate, all the computers tested were 90\npercent compliant for Windows XP, and 72 percent for Internet Explorer. None of\nthe computers tested were fully compliant with NIST settings. Table 4 shows the\ncontrols tested, passed, and failed.\n\n\n\n\n14\n   ARRA Websites Vulnerable to Hackers and Carry Security Risks, OIG Report FI-2011-006, October 22, 2010.\n   www.oig.dot.gov\n15\n   The estimate has a 90% confidence with a margin of error of 3.7%.\n\x0c                                                                                                         12\n\n\n        Table 4: FDCC Sample Test Results\n\n\n\n\n                                                     Total Controls\n\n\n\n\n                                                                       Total Controls\n\n\n\n\n                                                                                        Total Controls\n                                   Sampled\n                                   Systems\n                                   Number\n\n\n\n\n                                                     Tested c\n\n\n\n\n                                                                       Passed\n\n\n\n\n                                                                                        Failed\n        FAAa                             25\n                Windows                             9,525              8,414            1,111\n                Internet                            2,875              1,461            1,415\n        FMCSA Field Site                 14\n                Windows                             5,246              4,323               923\n                Internet                            1,441              1,005               436\n        ITS (COE)b                       34\n                Windows                            12,954             12,411               543\n                Internet                            3,468              3,169               299\n        OIG                                2\n                Windows                                 762               695                 67\n                Internet                                204               200                     4\n        STB                                2\n                Windows                                 762               435              328\n                Internet                                230               120              110\n        Department Totals:               77\n                Windows                            29,249             26,278            2,972\n                Internet                            8,218              5,955            2,264\n        Source: OIG\n    a\n      See Exhibit B for full Operating Administration names.\n    b\n      The Department consolidated Operating Administrations\' network infrastructures (e-mail,\n      desktop computing, and local area networks) into a common IT infrastructure.\n    c\n      Totals may not add due to rounding.\n\n\n\nOne of the Department\'s controls for ensuring the use of approved configuration\nsettings is creating a uniform image of desired FDCC control settings and applying\nit to all workstations. However, we found numerous different FDCC settings\namong workstations that were supposed to be identical. For example, FMCSA\n\x0c                                                                                                                             13\n\n\nhad up to 12 different settings among its computers. While we did not determine\nthe cause for this variance, such differences can be caused by malware or viruses.\n\nOMB requires agencies to use Security Content Automation Protocol16 (SCAP)-\nvalidated tools to certify that their systems comply with FDCC standards.\nAgencies are also required to manage and monitor the configuration of these\nstandards once deployed to personnel to ensure they are not modified. Only four\nOAs reported 100 percent coverage of their systems using SCAP-compliant tools.\nThe remaining nine OAs, however, either had less than 100 percent coverage of\ntheir systems or did not provide evidence of coverage. For example, FAA did not\nuse a SCAP tool to ensure FDCC compliance for its networks. Without valid\ntesting using approved tools, the degree of FDCC compliance may deteriorate and\nexpose the Department to unexpected vulnerabilities.\n\nDeviations from preferred control settings do occur when an agency determines\nthat the settings impact operations, such as the running of legacy applications.\nThe implementation of such deviations requires high-level review and approval to\nprevent exploitation of possible weaknesses created by the deviations. However,\nDOT does not have an adequate process for approving deviations17 from FDCC\nrequirements. While the Department policy requires OAs to receive approval\nfrom the Department\'s CIO for use of deviations, there is no guidance on how to\nrequest a deviation. The majority of deviations noted in our testing had not been\napproved. While FRA and SLSDC requested and received approvals for some\nFDCC deviations, COE, FMCSA field sites, and PHMSA submitted deviations but\ndid not receive approvals. Other OAs, including FAA, had not submitted requests\nfor approvals. Without an adequate deviation approval process, the Department\ncannot assess the necessity of such deviations or attempt to resolve them.\n\nOperating Administrations\' Configuration Management Procedures Do Not\nComply with NIST and DOT Policy\n\nNine OAs\xe2\x80\x93\xe2\x80\x93FAA, FMCSA, FTA, MARAD, OIG, OST, PHMSA, RITA, and\nSLSDC\xe2\x80\x93\xe2\x80\x93have security configuration management procedures that do not align\nwith NIST and departmental policy. For example, PHMSA, FHWA, and FRA\nhave implemented standard baseline configurations, but not for all of the hardware\nand software they use. Three of these OAs\xe2\x80\x93\xe2\x80\x93FAA, OIG and RITA\xe2\x80\x93\xe2\x80\x93have no\nbaseline configuration procedures to ensure the security of their systems.\nFurthermore, none of these OAs\' procedures has been reviewed in detail by OCIO\ndue to a lack of available personnel, and OCIO\'s focus on developing DOT\'s\nCyber Security Strategic Plan.\n\n16\n     NIST has created the SCAP program to work with the information technology communities to develop common\n     configuration standards. As part of this program, NIST-accredited laboratories test tools and submit results to NIST.\n     If the results are favorable, NIST validates the tool.\n17\n     A deviation occurs when the parameter for a particular setting is different from the approved parameter. OMB\n     requires that such deviations be approved by the department or agency\'s accrediting authority.\n\x0c                                                                                    14\n\n\n\nOAs also should perform scanning to verify that system configurations are correct\nand that security patches have been applied. Three OAs\xe2\x80\x93\xe2\x80\x93FRA, STB, and\nSLSDC\xe2\x80\x93\xe2\x80\x93did not provide documentation of controls over their software scanning\ncapabilities. Five OAs\xe2\x80\x93\xe2\x80\x93FHWA, FMCSA, FRA, FTA and RITA\xe2\x80\x93\xe2\x80\x93did not provide\nscanning evidence or confirmation for timely resolution of vulnerabilities. For\nexample, FAA\'s use of an unsupported Oracle database resulted in untimely\npatching of the Department\'s financial system (Delphi) and rendered vulnerability\nscanning ineffective for that system. In another example, SLSDC has no patch\nmanagement policy or procedure in place. Moreover, DOT has no department-\nwide process for managing OA compliance with policy requirements pertaining to\ninventories of technology products and corresponding security baselines.\n\n\nTHE DEPARTMENT CONTINUES TO LACK AN EFFECTIVE\nPROCESS FOR REMEDIATING INFORMATION SECURITY\nWEAKNESSES\n\nFISMA requires a process for planning, implementing, evaluating, and\ndocumenting remedial actions to address information security weaknesses. DOT\'s\nprocess is ineffective due to its weaknesses in management oversight and its\nincomplete POA&M database.\n\nLast year, OCIO began meeting monthly with Operating Administrations to\naddress information security concerns. In fiscal year 2010, however, these\nmeetings were delayed until July 2010 because of changes in OCIO priorities. As\nevidence of its oversight of OAs\' remediation of security weaknesses, OCIO could\nonly point to its review of FHWA\'s POA&M status. This insufficient oversight of\nOAs, in turn, contributes to the inadequate resolution of security weaknesses,\nincluding the slow implementation of our prior year recommendations. As shown\nin Table 5, there are:\n\n   \xe2\x80\xa2 4,794 open POA&Ms or weaknesses;\n   \xe2\x80\xa2 1200 weaknesses, or 25 percent, that are overdue, including 126 that are\n     over 1 year overdue;\n   \xe2\x80\xa2 240 weaknesses that have no scheduled completion dates;\n   \xe2\x80\xa2 404 POA&Ms that did not identify the cost to remediate the weakness;\n   \xe2\x80\xa2 3,594 weaknesses, or 75 percent, that had completion dates that exceeded\n     policy time frames for remediating weaknesses in place at the time; some of\n     these had completion dates scheduled for 4 years in the future.\n\x0c                                                                                                                                                                           15\n\n\nTable 5: Summary of Overdue POA&Ms\n\n\n\n\n                                                                                                                           No Target Completion\n\n\n\n\n                                                                                                                                                                     Future Scheduled\n                                                                                            121 days - 1 year\n\n\n\n\n                                                                                                                                                                     Completion Date\n                                                                                                                                                     Total Overdue\n                                                                          91 - 120 days\n                            Total Open\n\n\n\n\n                                                          61 - 90 days\n                                           1 - 60 days\n                            POA&Ms\n\n\n\n\n                                                                                                                  > 1 yr\n\n\n                                                                                                                           Date\n    Operating\n    Administrationa\n    DOT Program             106            3              1               8                 3                   68                   5             88                    18\n    FAA                    4170          267             78              62               365                     0              85               857                3313\n    FHWA                    159            0              0               0                 1                     0                  0               1               158\n    FMCSA                        2         0              0               1                0                     1                   0               2                       0\n    FRA                        11          0              0               3                 6                     0                  2             11                        0\n    FTA                        20          0              0               0                 1                     0                  0               1                   19\n             b\n    MARAD                   111            0              0               0                 0                     0         111                   111                        0\n    NHTSA                        1         0              0               0                 1                     0                  0               1                       0\n    OIG                        17          8              1               0                 4                     2                  0             15                        2\n    OST                        71          6              0               2                 6                     2                  0             16                    55\n    PHMSA                      22          1              1               0                 0                     0                  0               2                   20\n    RITA                       32          4              0               0                 0                     1              18                23                        9\n    SLSDC                        5         1              0               0                 0                     0                  4               5                       0\n    STB                        67          0              0               0                 0                   52               15                67                        0\n            Total          4794          290             81              76               387                   126         240                   1200               3594\n             Percentage                  6%              2%              2%               8%                    3%            5%                  25%                75%\n    Source: DOT Open POA&Ms in Cyber Security Assessment and Management\n    (CSAM) system as of August 18, 2010\na\n    See Exhibit B for full Operating Administration names.\nb\n    111 POA&Ms reported by MARAD were not assigned a scheduled completion date.\n\nBased on the policy in effect at the time of our review, all 4,794 open POA&Ms\nwere, or were expected to become, overdue. The policy required high-priority\nweakness to be resolved within 24 hours, moderate-priority ones within 20\nworking days, and low-priority ones in approximately 3 months. In September\n2010, OCIO issued new POA&M policy that significantly changed the timeframes\nfor resolution of weaknesses. However, because of its shorter timeframe for\nresolving low-priority weaknesses, the policy will likely result in the resolution of\nlow priority weaknesses before high ones. Table 6 summarizes the changes in\ntimeframes.\n\x0c                                                                                     16\n\n\n\nTable 6: Changes to Remediation Time Requirements\n                  Prior Policy--\n POA&M            DOT Order 1351.6, Section     Current Policy--\n Categorization   4.5 POA&Ms                    DOT Order 1351.30\n                                                Develop a remediation plan within\n High             Remediate within 24 hours\n                                                90 working days\n                  Remediate within 20 working\n Moderate                                       Remediate within 90 working days\n                  days\n                  Remediate within 60 working\n Low                                            Remediate within 30 working days\n                  days\nSource: OIG\n\n\n\nFurthermore, Operating Administrations did not record all identified security\nweaknesses in the Department\'s POA&M database for 20 of the 33 systems that\nwe selected for this year\'s review. In particular, MARAD did not input any known\nsecurity weaknesses in the POA&M database, including the deficiencies in its\nsystems\' certification and accreditation reported last year.\n\nWithout a compliant POA&M process, the Department cannot ensure that its\nsystems are adequately secured and protected. Weaknesses that remain\nunaccounted, unresolved or unmitigated for extended periods of time allow for\nunnecessary vulnerabilities and exposures that may be exploited, or may otherwise\ncompromise the availability or integrity of systems and data. Furthermore,\nestablishing tighter time frames to address only low priority weaknesses could\nresult in high priority weaknesses requiring more time than necessary to resolve.\n\n\nTHE DEPARTMENT\'S SYSTEM-LEVEL CONTROLS ARE NOT\nADEQUATE TO PROTECT THE SYSTEMS OR ENSURE\nRECOVERY\n\nSystem-level controls protect the security of information systems and ensure that\nthey can be recovered should a serious security breach occur. However, the\nDepartment does not effectively manage these controls. Specifically, we found\nthe Department does not know how many systems MARAD owns; certification\nand accreditation as well as contingency plan testing are incomplete; continuous\nmonitoring is ineffective; oversight of contractor-operated systems is inadequate;\ncontrols over remote access are deficient; and controls over account and identity\nmanagement are also deficient.\n\x0c                                                                                       17\n\n\nThe Department Does Not Know How Many Systems MARAD Owns\n\nFISMA requires agencies to develop, maintain, and annually update inventories of\nthe major information systems, including interfaces to external systems that they\noperate or control. Agencies can then use the inventories to track their systems for\nannual testing and evaluation, and contingency planning. Developing a complete\nand accurate inventory of major information systems is an agency\'s first step in\nmanaging its information technology resources, including security.\n\nFor FY 2009, we reported that MARAD did not use an appropriate methodology\nin developing its system inventory. For FY 2010, MARAD has been unable to\nprovide an accurate inventory of its systems. In April 2010, MARAD informed us\nthat it had 18 systems. More recently, the Agency informed us that its system total\nwas anywhere between 23 and 83. MARAD is conducting a review of the number\nof systems it has and the number of certifications and accreditations it needs to\nperform. Without a well developed inventory, it is almost impossible to determine\nwhether or not system-level controls are implemented or effective, or to track\nsystem security metrics. Furthermore, as system changes occur, it is difficult to\nreassess system-level controls and to enforce system-level security.\n\nCertification and Accreditation and Contingency Plan Testing Are\nIncomplete\n\nOMB Circular A-130, Appendix III, Security of Federal Automated Information\nResources, requires that systems be reauthorized (i.e., accredited) at least once\nevery 3 years. As of September 30, 2010, at least 41, or 10 percent, of the\nDepartment\'s systems are unaccredited, meaning they were not authorized to\noperate. Table 7 lists the OA, system name, and date of certification and\naccreditation expiration for all unaccredited systems, except MARAD, which has\nat least 23 unaccredited systems, all of which continue to operate.\n\x0c                                                                                                                             18\n\n\n    Table 7: Summary of DOT Systems with Expired Certification\n    and Accreditation\n                                                                                         Expiration        Total\n     OAa               System Name\n                                                                                         Date              Systems\n     FMCSA             CoTs DOT ECOM LAN                                                 2/07/2010\n                       CoTs DOT LAN                                                      2/07/2010\n                       Performance and Registration Info. Sys. Mgmt.                     4/26/2010\n                       Electronic Information System (EMIS)                              6/11/2010\n                       Electronic Document Mgmt Sys (EDMS)                               6/15/2010\n                       Query Central (QS)                                                6/15/2010\n                       Commercial Vehicle Info. Sys and Networks                         6/22/2010\n                       Compass                                                           8/27/2010                8\n         FRA           Controlled Correspondence Manager (CCM)                           9/06/2010\n                       Web Information Services (WIS)                                    9/06/2010\n                       Automated Track Inspection Program (ATIP)                         9/21/2010\n                       GradeDec.Net                                                      9/21/2010\n                       Railroad Safety Advisory Committee (RSAC)                         9/22/2010                5\n     OIG               US DOT/OIG Infrastructure                                         8/28/2010\n                       US DOT/OIG TIGR System                                            9/18/2010                2\n     RITA              RITA- Web                                                         5/31/2010\n                       RITA- Mission Support                                             7/30/2010\n                       RITA- TSI Infrastructure                                          1/02/2010                3\n     MARAD         Multiple Systems                               N/A              23b\n                   Total DOT Systems with Expired C&As                             41\n    Source: DOT Expired C&As in Cyber Security Assessment and Management (CSAM) system as\n    of September 30, 2010\na\n    See Exhibit B for full Operating Administration names.\nb\n    Estimate\n\n\n\n    We statistically selected 30 out of 436 systems reported to us. We reviewed 33\n    systems because one system was made up of 4 subsystems. The results of the 33\n    are summarized in Table 8. Based on this sample, we estimate that 170 (39\n    percent) would not fully meet the C&A requirements cited in NIST 800-37, 109\n    (25 percent) would be deficient in annual testing,18 and 196 (45 percent) would not\n    be compliant at contingency planning and testing.19\n\n\n\n\n    18\n       Subsequent to the initial authorization of the entire information system, OMB requires agencies to test subsets of\n       their security controls annually, as part of continuous monitoring.\n    19\n       This estimate has a 90-percent confidence level with a margin of error for DOT C&A of +/-19.5, for security control\n       testing of +/\xe2\x80\x9316.8, and for contingency planning and testing of +/-20.2.\n\x0c                                                                                                                     19\n\n\n    Table 8: Results of Review of Sample of 33 Systemsa\n\n\n\n\n                                                             MARAD\n\n\n                                                                        NHTSA\n                                                  FHWA\n\n\n\n\n                                                                                                Total\n                                                                                         RITA\n                                                                                   OST\n                                       FAA\n\n\n\n\n                                                                                                        Percentage\n    Number of Systems\n                                      15          4          7          4          2     1      33\n    Sampled\n\n    Systems without\n    C&As or with                       8          0          7          0          0     1      16      48%\n    deficient C&As\n\n    Systems without\n    sufficient annual                  5          0          7          0          0     1      13      39%\n    testing\n    Systems without\n    comprehensive\n                                      10          0          7          0          0     1      18      55%\n    contingency plans and\n    testing\n    So ur ce : OI G Ana l ys i s\na\n    Se e E x hib it B fo r f u ll Op er a ti n g Ad mi n i str at io n n a me s.\n\n\n\n    Without proper certification and accreditation, the Department lacks a crucial\n    management control that ensures that systems are properly assessed for risk, have\n    been independently tested, and that system weaknesses have been identified and\n    sufficiently mitigated. Without this control, management cannot ensure that\n    systems are operating without unacceptable risks or weaknesses. Furthermore,\n    without complete security and contingency testing, systems may operate with new\n    or unresolved weaknesses and may not be recoverable in time to minimize\n    business disruption.\n\n    The Department\'s Continuous Monitoring Is Ineffective\n\n    As noted in our prior report, the Department\'s policy and procedures on\n    continuous monitoring were not sufficiently detailed to guide agency personnel to\n    conduct effective continuous monitoring of security controls. For FY 2010, OCIO\n    noted that the planned revisions to these departmental procedures will not be\n    implemented until November 2012. Furthermore, the Department does not have\n    an approved strategic plan for continuous monitoring. Without these department-\n    wide procedures, OAs have acted on their own. FAA, FHWA, FMCSA, FRA, and\n    NHTSA developed internal guidance. Overall, however, the OAs are not acting in\n    compliance with existing OMB guidance. For example:\n\x0c                                                                                    20\n\n\n   \xe2\x80\xa2 12 out of 13 OAs did not effectively review, monitor and validate security\n     controls;\n   \xe2\x80\xa2 9 OAs do not incorporate continuous monitoring results into security status\n     reports or use them to update C&A documents (Security Plan, Security\n     Assessment report, POA&M);\n   \xe2\x80\xa2 9 OAs do not provide authorizing officials and others reports on continuous\n     monitoring.\n\nThe lack of procedures for comprehensive continuous monitoring limits OAs\'\nabilities to adequately monitor, in a timely manner, the security of their\ninformation systems. It also diminishes their abilities to respond quickly to new\nthreats, and may affect how well the Department can implement security solutions\nin its highly dynamic environment.\n\nThe Department\'s Oversight of Contractor-Operated Systems Is\nInadequate\n\nFor 2010, OMB required OIGs to determine whether agencies had established and\nwere maintaining oversight programs for systems operated by contractors or other\nentities, including inventories of such systems. The Department\'s methods of\nidentifying contractor-operated systems and related interfaces do not comply with\nOMB\'s requirements. Furthermore, some of its information technology contracts\ndo not include language requiring conformance to FISMA.\n\nThe Department Does Not Identify Its Contractor-Operated Systems in\nAccordance with OMB Guidance\n\nThe Department\'s inventory of contractor systems decreased from 46 to 33\nbetween fiscal years 2009 and 2010, as shown in Table 9. This decrease occurred\ndue to OCIO\'s instruction to the OAs to count as contractor systems only those\nthat are both owned and operated by contractors. This new definition is not\nconsistent with OMB\'s guidance, which defines a contractor system as any system\noperated on an agency\'s behalf by a contractor or other entity. Furthermore,\naccording to OCIO, no established process exists for reviewing and ensuring the\naccuracy of OAs\' reporting on contractor systems. As a result, OCIO was not\naware of inconsistencies in the reporting. Contractor-operated systems represent\nadditional risks to the Department because it frequently does not manage security\ncontrols in such systems. Without an accurate inventory of these systems, the\nDepartment cannot effectively manage the risks.\n\x0c                                                                                       21\n\n\n              Table 9: FY 2009 and 2010 Comparison of\n              Contractor Systemsa\n                                  FY 2009            FY 2010         Difference\n               FAA                  10                 13                  3\n               FHWA                   1                 0                 (1)b\n               FMCSA                  3                 4                  1\n               FRA                    6                 6                  0\n               FTA                    5                 0                 (5)c\n               NHSTA                  2                 2                  0\n               OST                  14                  4               (10)b,c\n               PHMSA                  3                 3                  0\n               RITA                   2                 1                 (1)b\n                  Total:            46                 33                (13)\n              Source: OIG\n          a\n            See Exhibit B for full Operating Administration names.\n          b\n            Retired\n          c\n            Re-defined from contractor operated\n\n\n\nSome IT Contracts Do Not Contain Clauses Regarding FISMA Compliance\nRequirements\n\nFISMA and OMB require agencies to ensure that contractors comply with Federal\ninformation security requirements. However, OCIO\'s policy and guidance do not\naddress the inclusion of specific clauses in contracts to ensure that the Department\nincorporates Federal security requirements into its information technology\nprocurements. For example, we found contracts that did not incorporate Federal\ncomputer security language. Furthermore, even though FAA has a standard clause\nfor FISMA compliance, we found that six out of eight FAA contracts did not\nincorporate this clause. Finally, 12 OAs did not provide evidence that they\ndevelop and manage their contractor interface agreements in compliance with\nOMB policy.\n\nWithout the required contract language, up-to-date interface agreements, and\noversight, DOT cannot enforce compliance with important information security\nrequirements, or ensure that security risks are reduced in a cost-effective and\nconsistent manner.\n\nThe Department\'s Controls Over Remote Access Are Deficient\n\nNIST provides guidance for agencies on controlling remote access to their\nsystems. In 2007, OMB announced the Trusted Internet Connection (TIC)\ninitiative to reduce and consolidate the number of external access points, including\n\x0c                                                                                    22\n\n\nInternet connections, and ensure that all external connections are routed through\nan OMB-approved TIC.\n\nWe found that the Department\'s remote access controls are deficient.         For\nexample:\n\n   \xe2\x80\xa2 Home computers can be used for internet access to DOT\'s systems.\n     However, DOT\'s policy does not provide clear guidance on the safe use of\n     home computers for this access, and only requires users from home to have\n     IDs and passwords for identity authentication in order to gain access. With\n     the exception of FAA, which requires identification tokens in some\n     instances, there is no multi-factor identity authentication in use at DOT.\n   \xe2\x80\xa2 Home computers used to access DOT applications are checked for up-to-\n     date operating system patches and virus protection, but they are not\n     checked for FDCC compliance.\n   \xe2\x80\xa2 DOT does not conduct real-time monitoring and authentication of\n     equipment that remotely accesses its networks to ensure that only\n     authorized devices are able to connect.\n   \xe2\x80\xa2 FAA has an informal agreement that all employees who have faa.gov email\n     accounts will be provided remote access to their email accounts. FAA is in\n     the process of developing a plan to revise its remote access policy and\n     provide it to its CIO for guidance.\n   \xe2\x80\xa2 DOT policy lacks specific requirements on use of wireless access to DOT\n     networks; OCIO reported that this policy is currently in revision but\n     provided no completion date.\n   \xe2\x80\xa2 CIO does not plan to complete routing all agency external connections\n     through approved Trusted Internet Connection access points until after\n     2011.\n\nWithout effective controls over remote access, DOT cannot ensure that only\nauthorized computers and personnel are accessing its information systems. As a\nresult, there is an increased risk that unauthorized users will deploy malware on\nDOT\'s networks or extract sensitive information.\n\nThe Department\'s Controls Over Account and Identity Management\nAre Deficient\n\nNIST provides guidance for network accounts and identity management. In May\n2009, DOT OCIO issued Department-wide policies to implement security controls\nfor account management, and user identification and authentication. These\npolicies state that Lines of Business/OAs are responsible for implementing the\npolicies\' requirements, and that the Chief Information Security Officer should\nvalidate compliance with the procedures. We reviewed four networks that service\nabout 54,000 users and found that the Department\'s account and identity\n\x0c                                                                                                                              23\n\n\nmanagement controls are deficient in several areas, including disabling of\naccounts, distinguishing between user and non-user accounts, using multi-factor\nauthentication, and using dual accounts for administrators.\n\nNetwork Administrators Do Not Disable Accounts in a Timely Manner\n\nDOT OCIO policy states that information systems should disable user identifiers\nafter 30 days of inactivity for high-impact systems20 and 60 days for\nmoderate-impact systems. It further states that all system accounts should be\nconfigured to automatically lock out inactive users within a specific period of time\nnot to exceed 90 days. Of the approximately 54,000 accounts we reviewed, we\nfound that about five percent had not been disabled after the required period of\ninactivity. See Table 10 for a description of these accounts. We also found two\nactive accounts whose users were deceased.\n\n     Table 10: Accounts That Were Not Disabled in a Timely\n     Manner\n                                          Disabling                                    User            Non-User\n         System Name\n                                             Period                  Total         Accounts            Accounts\n\n         COE LANa                         > 30 days                    898                  898         See Note a.\n\n\n         Volpe Center LAN                 > 60 days                    240                  118                 122\n                          b\n         USMMA LAN                        > 60 days                    258                  189                   69\n\n         FAA/ATO LAN                      > 60 days                  1,432               1,238                  194\n\n                      Total                                          2,828               2,443                  385\n         Source: OIG\n     a\n         User and non-user accounts were not segregated by COE.\n     b\n         USMMA LAN store, process, and transmit PII.\n\nThe primary cause of these account problems is the inadequate use of tools that\nautomatically disable accounts after a certain length of time of inactivity. The\nUnited States Maritime Marine Academy (USMMA) and John A. Volpe National\nTransportation Systems Center (Volpe) did not use any automated mechanism to\ndisable its inactive accounts. Both COE LAN and FAA\'s ATO have implemented\ntools to manage their Active Directories that are not properly configured to disable\naccounts within the proper timeframes. Not disabling accounts in a timely manner\nmay lead to unauthorized access to information and systems by individuals who\nare no longer authorized to have access.\n\n20\n     "Impact" refers to the impact that loss of a system\'s confidentiality, integrity, or availability could be expected to\n     have on organizational operations, assets, or individuals. "High impact" would have a severe or catastrophic adverse\n     effect, whereas "moderate impact" would have a severe adverse effect.\n\x0c                                                                                                 24\n\n\nNetwork Administrators Do Not Properly Distinguish Account Types\n\nNIST requires agencies to segregate account types (individual, group, system,\napplication, guest/anonymous, or temporary), and distinguish account types\nbetween user and non-users. However, the networks we reviewed had not\naccomplished these requirements because their administrators did not follow the\nOAs\' naming standards when establishing accounts. Table 11 provides examples\nof inconsistent account names among the networks reviewed. Without accurately\nidentifying user accounts and non-user accounts, the Department cannot properly\ncontrol access to its information systems.\n\nTable 11: Summary of Account Naming Errors\nNet w o r k   Ac c o u n t Na mi ng        Co rr e ct l y N am ed   In c o r r e ctl y N am ed\n              St an d a rd                 Ac c o u n t s           Ac c o u n ts\nCOE           Federal:\n\n              first.last                   alan.walsh               walsha\n                                           curtis.johnson           Curtis.Johnson2\n\n              Contractors:\n\n              first.last.ctr               jean-marie.tchokok.ctr   j.tchokok.ctr\n\n              Naming convention for                                 Sptest\n              service accounts were not                             SRS.Web\n                                           Unknown\n              specified                                             DOTMOSS.Sql\n\nFAA/ATO       Service Accounts must        SRVC-BEuser              BEuser\n              contain "SRVC" in front of   SRVC-Backup              Backup\n              the account name.            SRVC-MCUser              MCUser\n                                           SRVC-ORDBackup           ORDBackup\n\nUSMMA         Midshipmen structure:\n\n              2digityearLastNameFirstIni    07DiehlE                 diehle\n              tialMiddleInital              08BellE                  08bellE\n                  10LastFM                  13HumeZA                 13HUMEZA\n\n\n              Non-midshipmen\n              structure:\n\n              LastNameFirstInitial         AnthonyS                 anthons\n                 LastF                     VendittoJ                joanna.venditto\n                                           LiG                      li(contractor)\nSource: OIG\n\x0c                                                                                        25\n\n\nThe Department Has Not Implemented Multi-Factor Authentication for Identifying\nUsers\n\nDepartment officials in charge of the four networks reviewed indicated that multi-\nfactor authentication would not be implemented until they completed PIV card\nissuance. The Department agreed with OMB to complete card issuance by\nDecember 31, 2010. However, DOT\'s current plan to issue cards to non-FAA\npersonnel lacks detail on issues such as resources, responsible parties, and risk\nmanagement, without which the department cannot ensure that the timeframe is\nrealistic. Currently, the four reviewed networks only use user IDs and passwords\nto allow access to their systems. USMMA is planning to implement multi-factor\nauthentication for Federal employees and contractors, but not for midshipmen or\nfour-year students, despite the fact that USMMA LAN stores, processes, and\ntransmits PII. Because multi-factor authentication has not been implemented, the\nDOT cannot fully identify and authenticate authorized users. Individuals who are\nnot properly authenticated may be capable of sharing user IDs and passwords\nwhich could lead to identity fraud, counterfeiting, organizational espionage, social\nengineering, Internet misuse, and misuse of personal information.\n\nNot All Network Administrators Have Dual Accounts\n\nNIST guidance requires agencies to separate duties through assigned system\naccess authorizations including different accounts for different roles. For\nexample, a system administrator who has an email account on the network he or\nshe administers should have an administrator account and a user account. This\nindividual would only use the user account to access email. Administrators of two\nof the networks we reviewed did not have user accounts. For example, COE\nadministrators do not use separate accounts to perform non-administrator tasks.\nBecause administrator accounts have greater access to computer resources, using\nsuch accounts to perform non-administrator functions increases the likelihood that\nmalware, such as viruses, will infect DOT networks.\n\n\nCONCLUSION\n\nDOT operates in a world in which information systems are part of every solution,\nand the Internet has connected almost every network. As a result, the\nDepartment\'s success is dependent on its ability to keep its networks available to\nits legitimate users, and to protect itself from those who, from almost any location,\nmay seek to gain unauthorized access to its information or disrupt its operations.\nAs technology progresses, so do the risks involved in its use and the need to\nmaintain a state-of-the-art cybersecurity program that can respond quickly and\neffectively to any threat. To mature towards such a program, DOT must\nimmediately address its persistent cybersecurity weaknesses with strong\nleadership, greater influence and oversight by DOT OCIO, and management\n\x0c                                                                                      26\n\n\ncommitments from OA Administrators. Until this happens, DOT will continue to\nremain vulnerable to predators.\n\n\nRECOMMENDATIONS\n\nRecognizing the challenges to develop an effective and mature information\nsecurity program from what DOT has currently in place, we are providing a\nnumber of actions that, combined with our prior year recommendations, may serve\nas a roadmap to address urgent vulnerabilities currently inherent in the program.\nTo mitigate these weaknesses and enable DOT\xe2\x80\x99s information security program\nevolution towards an appropriate level of maturity, we recommend that the Chief\nInformation Officer do the following:\n\n\nInformation Security Policy:\n\n   1. Address these policy and procedural weaknesses:\n\n      o Develop procedural guidance for the C&A process. In addition, modify\n        existing certification and accreditation policy and procedures to address\n        inheritance of common information security controls, and to provide\n        procedural guidance to modes.\n      o Correct POA&M policy to prioritize weaknesses in a way that ensures\n        that high priority weaknesses are resolved before medium priorities, and\n        medium ones before low ones. In addition, develop procedural\n        guidance to ensure consistency of the POA&M process and to facilitate\n        CIO\'s oversight and management of weaknesses.\n      o In conjunction with the modes, develop procedural guidance for\n        tracking and training personnel with significant security responsibilities.\n        This guidance should address maintaining complete inventories of such\n        personnel, and the training needed and provided.\n      o Enhance high-level policy with procedural guidance to ensure\n        consistency of the network accounts and identity management.\n      o In conjunction with the Assistant Secretary for Administration,\n        complete Department-wide PIV operating procedures, including\n        procedures to terminate PIV cards.\n      o Review and revise all configuration management policy and develop\n        specific details for activities that are common across the department. As\n        part of this effort, develop procedural guidance that would define\n        requirements for OAs to use when developing configuration\n        management procedures specific to their operation.\n\x0c                                                                                        27\n\n\n      o Develop procedural guidance that would define requirements for OAs to\n        use when developing incident handling procedures specific to their\n        operation.\n      o Enhance policy and procedural guidance to incorporate detailed\n        guidance for managing, monitoring and reporting FDCC compliance,\n        including the use of SCAP tools to ensure FDCC compliance.\n      o Once policy adequately addresses contractor oversight per\n        Recommendation 4 of last year\'s report, develop relevant procedural\n        guidance. This policy should establish the criteria and guidelines for\n        DOT\xe2\x80\x99s identification and reporting of contractor systems consistent with\n        OMB requirements.\n      o Enhance high-level policy with procedural guidance to ensure remote\n        access and wireless networking is authorized, managed and monitored\n        in compliance with OMB, NIST and DOT policies.\n\n   2. To the extent the OAs require their own guidance, review guidance to\n      verify compliance with department policies and procedures.\n\n\nEnterprise-Level Weaknesses:\n\n   3. Implement a quality assurance process to review OA specific configuration\n       management procedures to ensure that they adhere to the departmental\n       policy and Federal requirements.\n   4. Implement a process to review OAs security configuration management\n       practices and software scanning capabilities. Provide monitoring of OAs\n       practices to ensure they are adhering to the policy and practices.\n   5. Require OST to implement required system patches on their Delphi system.\n   6. Conduct scanning of all DOT networks to ensure compliance with FDCC\n       requirements. In addition, review results of modal SCAP compliance scans\n       to identify and resolve incorrect FDCC settings.\n   7. Require and approve deviation requests for those non-conforming settings\n       that are truly needed and for which risks have been mitigated and accepted.\n   8. Conduct periodic tests to assess FDCC compliance and deployment of\n       patches, including service packs.\n   9. Analyze the incorrect FDCC configuration settings identified in our testing,\n       and for those that do not have approved deviations, require OAs to create\n       POA&Ms to correct the settings.\n   10. Implement a practice to review OA specific incident handling procedures to\n       ensure that they adhere to the departmental policy.\n   11. Implement a process to review reported incidents to ensure timely reporting\n       to US-CERT. In addition, provide monitoring of incidents reported to\n       ensure all required data in the tracking system(s) is up-to-date for incidents\n       sent and data received back for US-CERT.\n\x0c                                                                                        28\n\n\n   12. Review FHWA, FMCSA, FRA, FTA and RITA automated scans\n       confirming timely resolution of vulnerabilities. If deficiency is found\n       require OA to provide corrective action and to update plan of actions and\n       milestone to address weakness.\n   13. Require OAs to reconcile their contractor records with DOT security\n       department and update their records accordingly. Monitor and report to the\n       Deputy Secretary, Operating Administrations\xe2\x80\x99 progress in resolving the\n       discrepancy with their contractor records and DOT security department.\n   14. Identify and implement automated tools to better track contractors and\n       training requirements.\n\n\nInformation System Security Weaknesses:\n\n   15. In conjunction with the MARAD, create a POAM for each system that is\n       missing a certification and accreditation. This POAM should be properly\n       prioritized to ensure this critical matter is immediately addressed.\n\n\nInformation System Security:\n\n   16. In conjunction with MARAD, promptly update Cyber Security Assessment\n       and Management (CSAM) system to reflect its current system inventory\n       and related information (including status of certification and accreditation).\n   17. Work with MARAD to finalize agreements with C&A service providers to\n       certify MARAD systems.\n   18. Review the results of OA assessments to determine an accurate inventory\n       of contractor systems.\n   19. Work with the Department\'s acquisition personnel to develop common\n       contract language that requires IT contractors to enforce applicable FISMA\n       and OMB requirements. Once this language is approved, review all new\n       planned IT acquisitions, prior to award, to verify that this clause is\n       contained in the statement of work or comparable document.\n   20. Research and standardize automated tools that will proactively monitor\n       remote devices connecting to DOT networks.\n   21. Conduct tests of remote access solutions to ensure they comply with\n       Federal requirements and DOT guidance.\n   22. In conjunction with the Assistant Secretary for Administration, develop a\n       Department-wide implementation plan that specifies resources needed,\n       responsible parties, strategies for risk mitigation, etc., to ensure that all\n       employees and contractors receive PIV cards by December 31, 2010.\n   23. Implement the use of PIV cards as the primary authentication mechanism to\n       support multi-factor authentication at the system and application level for\n       all DOT\'s employees and contractors.\n\x0c                                                                                      29\n\n\n   24. Perform periodic reviews of active user accounts and network devices to\n       identify accounts that need to be disabled.\n   25. Work with OAs to identify and logically segregate user accounts and\n       service (role) accounts.\n   26. Work with OAs to implement automated mechanisms to disable inactive\n       accounts, as specified by DOT policies, and to audit account creation,\n       modification, disabling, and termination actions.\n   27. Educate and assist OAs in implementing dual accounts for administrators.\n       Subsequently, conduct reviews to determine that all DOT GSSs use these\n       accounts.\n\n\n\nMANAGEMENT COMMENTS\n\nA draft of this report was provided to the Department\xe2\x80\x99s CIO on November 3rd,\n2010. On November 11th, 2010 we received the Department CIO\xe2\x80\x99s response,\nwhich can be found in its entirety in the Appendix.\n\n\nACTIONS REQUIRED\n\nIn accordance with Department of Transportation Order 8000.1C, we would\nappreciate receiving your detailed action plans and target dates for the\nrecommendations in this report within 30 calendar days. We will review the Chief\nInformation Officer\xe2\x80\x99s detailed action plans when provided to determine whether\nthey satisfy the intent of our recommendations. All corrections are subject to\nfollow-up provisions in DOT Order 8000.1.C. We appreciate the courtesies and\ncooperation of the CIO Office and the Operating Administrations\xe2\x80\x99 representatives\nduring this audit. If you have any questions concerning this report, please call me\nat (202) 366-1959; Lou E. Dixon, Principal Assistant Inspector General for\nAuditing and Evaluation, at (202) 366-1427; or Earl Hedges, Acting Assistant\nInspector General for Financial and Information Technology Audits, at (410) 962-\n1729.\n\n\n\ncc: Deputy Secretary\n    Assistant Secretary for Budget and Programs/Chief Financial Officer\n    CIO Council Members\n    Martin Gertel, M-1\n\x0c                                                                                     30\n\n\nEXHIBIT A. Scope and Methodology\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires that\nwe perform an independent evaluation to determine the effectiveness of the\nDepartment\xe2\x80\x99s information security program and practices. FISMA further requires\nthat our evaluation include testing of a representative subset of systems and an\nassessment, based on our testing, of the Department\xe2\x80\x99s compliance with FISMA\nand applicable requirements. On April 21, 2010, the Office of Management and\nBudget (OMB) issued M-10-15, FY 2010, Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management, which\nprovides instructions for inspectors general for completing their FISMA\nevaluations and the required OMB template. For 2010, OMB has required the use\nof a common Web portal to upload its required metrics\xe2\x80\x94a significant number of\nwhich have changed.\n\nTo meet FISMA and OMB requirements, we selected a representative subset of 33\ndepartmental systems (see Table 12) and reviewed the compliance of these\nsystems with NIST and OMB requirements in the areas of risk categorization,\nsecurity plans, annual control testing, contingency planning, certification and\naccreditation, incident handling, and plans of actions and milestones. To evaluate\nFDCC compliance within the Department, 77 individuals within Washington area\nwith government-provided computers were tested for Windows, Internet Explorer\nand Windows firewall compliance. We used a NIST-approved SCAP tool to\nperform these evaluations. Our sample of 77 individuals included 63 statistically-\nselected individuals, and all 14 individuals from the FMCSA remote site which\nwas selected based on geographical location and is representative of FMCSA\nremote sites throughout the US.\n\nIn addition, for account and identity management, we reviewed four general\nsupport systems (GSS): (1) Common Operating Environment (COE) Local Area\nNetwork (LAN), (2) Volpe Center LAN, (3) U.S. Merchant Marine Academy\n(USMMA) LAN, and (4) Federal Aviation Administration/Air Traffic\nOrganization (FAA/ATO) LAN. We also conducted testing to assess the\nDepartment\xe2\x80\x99s inventory, its overall process of resolving information security\nweaknesses, configuration management, incident reporting, security-awareness\ntraining, remote access, and account and identity management. Our tests included\nanalysis of data contained in the Department\xe2\x80\x99s Cyber Security Assessment and\nManagement system, reviews of supporting documentation, and interviews with\ndepartmental officials. We also used commercial scanning software to assess\ncompliance with Federal Desktop Core Configuration requirements.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                                  31\n\n\nTable 12: OIG\xe2\x80\x99s Representative Subset of DOT Systems\n                                                         Impact      Contractor\n Operating\n                                                          Level       System?\n Administrationa System\n FAA             110A (110A Inspector Credentials)        High          No\n                 ANICS (Alaskan NAS Interfacility\n                                                        Moderate        No\n FAA             Communications System)\n                 ATOS (Air Transportation Oversight\n                                                          High          No\n FAA             System)\n                 BMX (Business Management\n                                                        Moderate        No\n FAA             Solutions)\n                 CMIS (Certificate Management\n                                                          Low           No\n FAA             Information System)\n                 CMRIS (Consolidated Management\n                                                          Low           No\n FAA             Resource Information System)\n                 CSMC Intrusion Detection Prevention\n                                                        Moderate        No\n FAA             System, IDPS (DR, NIDS, & WIDS)\n FAA             FDIO (Flight Data Input/Output)          Low           No\n FAA             FPPS (Facility Power Panel System)       Low           No\n                 FSIMS (Flight Standards Information\n                                                          High          No\n FAA             Management System)\n                 FSTNA (Flight Standards Training\n                                                        Moderate        No\n FAA             Needs Assessment)\n                 GIMS (GNAS Information\n                                                          Low           No\n FAA             Management System)\n                 LERIS (Labor and Employee\n                                                        Moderate        Yes\n FAA             Relations Information System)\n                 OPSS (Operations Specifications\n                                                          High          No\n FAA             Sub-System)\n FAA             SOAR (System of Airport Reporting)     Moderate        No\n                 Delphi Interface Maintenance System\n                                                          High          No\n FHWA            (DIMS)\n FHWA            Knowledge Management                   Moderate        No\n                 User Profile and Access Control\n                                                          High          No\n FHWA            System (UPACS)\n FHWA            Video Conferencing System                Low           No\n                 Cadet Training Berthing System            Not\n                                                                        No\n MARAD           (CTBS)                                Categorized\n                 Cargo Preference Overview System          Not\n                                                                        No\n MARAD           (CAPOS)                               Categorized\n                 Credit Program Portfolio Management       Not\n                                                                        No\n MARAD           System (CPPMS)                        Categorized\n                                                           Not\n                                                                        No\n MARAD           MARAD Common Infrastructure (MCI)     Categorized\n                                                           Not\n                                                                        No\n MARAD           MARAD Internet                        Categorized\n                                                           Not\n                                                                        No\n MARAD           Marine View (Marview)                 Categorized\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                                                     32\n\n\n\n                                                                       Impact       Contractor\n     Operating\n                                                                        Level        System?\n     Administrationa System\n                                                                        Not\n                                                                                        No\n     MARAD               Virtual Office Acquisition (VOA)           Categorized\n                         Mission Based Moderate Impact\n                                                                      Moderate          No\n     NHTSA               Systemb\n                         Congressional Reporting\n                         Requirements Tracking System                   Low             No\n     OST                 (CRRTS)\n     OST                 DELPHI                                       Moderate          No\n     RITA                Transtats                                     High             No\n    Source: OIG\na\n    See Exhibit B for full Operating Administration names.\nb\n    NHTSA "Mission Based Moderate Impact System" is composed of 4 systems (GTS, VSH, MVII, CARSII)\n    which increased the C&A sample systems reviewed from 30 to 33\n\n\n\n    As required, we submitted to OMB qualitative assessments pertaining to DOT\xe2\x80\x99s\n    information security program and practices. OMB requires that our FISMA\n    submission include information from all DOT Operating Administrations,\n    including OIG. In addition to preparing our submission, we reviewed the\n    Department\xe2\x80\x99s progress in resolving weaknesses and implementing\n    recommendations identified in our prior year\xe2\x80\x99s FISMA report.\n\n    We performed our information security review work between March 2010 and\n    October 2010.      We conducted our work at departmental and Operating\n    Administration Headquarters offices in the Washington, D.C., area. We conducted\n    our audit in accordance with generally accepted government auditing standards.\n    Those standards require that we plan and perform the audit to obtain sufficient,\n    appropriate evidence to provide a reasonable basis for our findings and\n    conclusions based on our audit objectives. We believe that the evidence obtained\n    provides a reasonable basis for our findings and conclusions based on our audit\n    objectives.\n\n    Generally accepted government auditing standards require us to disclose\n    impairments of independence or any appearance thereof. OMB requires that the\n    FISMA template include information from all DOT OAs, including OIG. Because\n    the OIG is a small component of the Department, based on number of systems,\n    any testing pertaining to the OIG or its systems does not impair our ability to\n    conduct this mandated audit.\n\n    Previous audit reports on the Department\xe2\x80\x99s information security program issued in\n    response to the FISMA legislative mandate (formerly the Government Information\n    Security Reform Act) include:\n\n    Exhibit A. Scope and Methodology\n\x0c                                                                          33\n\n\n\nAudit of DOT\'s Information Security Program and Practices, FI-2010-023,\nNovember 18, 2009;\nAudit of Information Security Program, FI-2009-003, October 8, 2008;\nInformation Security Program, FI-2008-001, October 10, 2007;\nInformation Security Program, FI-2007-002, October 23, 2006;\nInformation Security Program, FI-2006-002, October 7, 2005;\nInformation Security Program, FI-2005-001, October 1, 2004;\nInformation Security Program, FI-2003-086, September 25, 2003;\nInformation Security Program, FI-2002-115, September 27, 2002; and\nInformation Security Program, FI-2001-090, September 7, 2001.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                                                         34\n\n\n    EXHIBIT B. DOT OPERATING ADMINISTRATIONS AND SYSTEM\n    INVENTORY COUNTS\n\n\n     Operating Administrationa                                                  FY 2010       FY 2009\n\n     Federal Aviation Administration (FAA)                                        290           274\n\n     Federal Highway Administration (FHWA)                                         22               21\n\n     Federal Motor Carrier Safety Administration (FMCSA)                           21               21\n\n     Federal Railroad Administration (FRA)                                         13               12\n\n     Federal Transit Administration (FTA)                                          5                5\n\n     Maritime Administration (MARAD)                                               21               10\n\n     National Highway Traffic Safety Administration (NHTSA)                        11               10\n\n     Office of Inspector General (OIG)                                             2                2\n\n     Office of the Secretary (OST)                                                 33               36\n     Pipeline and Hazardous Materials Safety Administration\n                                                                                   6                5\n     (PHMSA)\n     Research and Innovative Technology Administration (RITA)                      13               10\n\n     Saint Lawrence Seaway Development Corporation (SLSDC)                         1                1\n\n     Surface Transportation Board (STB)                                            2                2\n\n          Total Systems                                                           440           409\n    Source: OIG, and DOT CSAM as of August 6, 2010\na\n    For purposes of reporting under FISMA, we consider "Operating Administrations" to include all\n     components listed above.\n\n\n\n\n    Exhibit B. DOT Operating Administrations and System Inventory\n               Counts\n\x0c                                                                                       35\n\n\nEXHIBIT C. Status of Prior Year\xe2\x80\x99s Recommendations\n\nRecommendation\nNumber           FY 2009 Recommendation                                       Status\n                 Revise the incident response policy to identify\n                 conditions under which incidents should be reported to\n       1         law enforcement (i.e., OIG), how the reporting should        Open\n                 be performed, what evidence should be collected, and\n                 how it should be collected\n                 Revise the security awareness and training policy to\n                 include the identification of all users, such as\n                 employees, contractors, and others requiring access to\n       2                                                                      Open\n                 DOT information systems. Include provisions in the\n                 policy to separate these active user accounts from the\n                 non-person accounts.\n                 Revise training policy to list the job functions that\n                 require specialized security training and the type of\n       3                                                                      Open\n                 specialized training that is required for those job\n                 functions as described in NIST SP 800-16.\n                 Revise policy to address security of information and\n                 information systems managed by contractors,\n                 including information security roles and\n       4         responsibilities, security control baselines and rules for   Open\n                 departures from baseline, and rules of behavior for\n                 contractors and minimum repercussions for\n                 noncompliance.\n                 Revise the interface agreement policy to incorporate\n                 necessary elements, such as purpose of the\n                 interconnection, description of security controls,\n       5                                                                      Open\n                 schematic of interconnection, timelines for terminating\n                 or reauthorizing the interconnection, and authority of\n                 establishing the interconnection.\n                 Revise the plan of action and milestones policy to\n                 address all the OMB requirements, including\n       6         description of weakness, scheduled completion date,          Closed\n                 key milestones, changes to milestones, source of the\n                 weakness, and status.\n                 Ensure that the Federal Aviation Administration, Saint\n                 Lawrence Seaway Development Corporation, and\n                 Pipeline and Hazardous Materials Safety\n       7                                                                      Open\n                 Administration have deployed DOT approved\n                 configuration baselines and tools to assess\n                 implementation status.\n                 Use automated tools to periodically verify status of\n                 completion reported by Operating Administrations and\n       8                                                                      Open\n                 identify deviations from the approved baseline\n                 configurations.\n\n\n\n\nExhibit C. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                     36\n\n\nRecommendation\nNumber           FY 2009 Recommendation                                     Status\n                 Require Operating Administrations to manage\n                 identified deviations from approved baseline\n                 configurations by tracking and resolving significant       Open\n       9\n                 baseline configuration weaknesses in plan of actions\n                 and milestones.\n                 Work with Operating Administration Chief Information\n                 Officers to ensure that all new IT contracts include the\n                                                                            Open\n      10         acquisition language on common security\n                 configurations as required by DOT and OMB M-07-18.\n                 Work with the CSMC to develop a process to ensure\n                 that all Department of Homeland Security reference\n                                                                            Open\n      11         numbers are received and entered into the DOT\n                 tracking system for confirmation.\n                 Develop and establish a tracking system that\n                 effectively and routinely accounts for all active          Open\n      12\n                 contractors requiring security awareness training.\n                 Develop a mechanism to enforce that all employees\n                 including contractors with login privileges have\n                 completed the required annual security awareness           Open\n      13\n                 training in order to gain and maintain access to\n                 Department information systems.\n                 Identify and ensure all employees with significant\n                 security responsibilities take the necessary specialized   Open\n      14\n                 security training to fulfill their responsibilities.\n                 Monitor, and report to the Deputy Secretary, Operating\n                 Administrations\xe2\x80\x99 progress in resolving long overdue\n                 security weaknesses, reestablishing target completion\n                 dates in accordance with departmental policy,\n                                                                            Open\n      15         providing cost estimation for fixing security\n                 weaknesses, prioritizing weaknesses, and recording all\n                 identified security weaknesses in plan of actions and\n                 milestones.\n                 Ensure accurate information is used to monitor\n                 Operating Administrations\xe2\x80\x99 progress in correcting          Open\n      16\n                 security weaknesses.\n                 Require Chief Information Security Officer and\n                 Operating Administrations conduct a review to identify\n                 all interfaces with systems external to the Department,\n                                                                            Open\n      17         ensure related security agreements are adequate, and\n                 track them in the Cyber Security Assessment and\n                 Management system.\n                 Ensure that Maritime Administration properly\n                 inventories its information systems and tracks them in\n                                                                            Open\n      18         the Cyber Security Assessment and Management\n                 system. (MARAD)\n                 Ensure that Maritime Administration certifies and\n                 accredits each system in the revised inventory.            Open\n      19\n                 (MARAD)\n\n\nExhibit C. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                    37\n\n\nRecommendation\nNumber           FY 2009 Recommendation                                    Status\n                 Improve its quality assurance checks on the Operating\n                 Administrations\xe2\x80\x99 certifications and accreditations by\n                 increasing the frequency and scope of its checks,\n                 communicating results and expected actions to the\n                 Operating Administrations, requiring updated plan of      Open\n        20\n                 actions and milestones to address weaknesses noted\n                 (including those found in the Inspector General\n                 reviews), and follow-up on resolution of weaknesses\n                 noted.\n                 Require Federal Aviation Administration, Federal\n                 Highway Administration, Federal Railroad\n                 Administration, Maritime Administration, Office of the\n                 Secretary of Transportation and Pipelines and             Open\n        21\n                 Hazardous Materials Safety Administration to conduct\n                 system contingency testing of the systems that did not\n                 have evidence that of such tests.\n                 Develop a process to ensure Operating\n                 Administrations continuously monitor and test             Open\n        22\n                 information system security controls.\n                 Finalize the inventory count for systems containing\n                                                                           Closed\n        23       privacy information.\n                 Work with Operating Administrations to complete\n                 privacy impact assessments for applicable information     Open\n        24\n                 systems.\n                 Work with the Federal Aviation Administration to\n                 establish a reasonable target date for the completion\n                                                                           Open\n        25       of the reduction of social security numbers recorded in\n                 its systems.\n                 Implement 2-factor authentication for remote access.      Open\n        26\n                 Implement NIST-approved encryption on all mobile\n                                                                           Open\n         27      computers/devices.\nSource: OIG\n\n\n\n\nExhibit C. Status of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                            38\n\n\nEXHIBIT D. MAJOR CONTRIBUTORS TO THIS REPORT\nName                               Title\n\nLouis C. King                      Program Director\n\nMichael Marshlick                  Project Manager\n\nLissette Mercado                   Project Manager\n\nMartha Morrobel                    Information Technology\n                                   Specialist\n\nJames Mullen                       Information Technology\n                                   Specialist\n\nTim Roberts                        Information Technology\n                                   Specialist\n\nTracy Colligan                     Information Technology\n                                   Specialist\n\nPetra Swartzlander                 Statistician\n\nSusan Neill                        Writer-Editor\n\n\n\n\nExhibit D. Major Contributors to this Report\n\x0c                                39\n\n\nAPPENDIX. MANAGEMENT COMMENTS\n\n\n\n\nAppendix. Management Comments\n\x0c                                40\n\n\n\n\nAppendix. Management Comments\n\x0c                                41\n\n\n\n\nAppendix. Management Comments\n\x0c                                42\n\n\n\n\nAppendix. Management Comments\n\x0c                                43\n\n\n\n\nAppendix. Management Comments\n\x0c                                44\n\n\n\n\nAppendix. Management Comments\n\x0c'